Extending activity diagrams for RBAC policies specification

Extending activity diagrams for RBAC policies specification

Salim Chehida Akram Idani Yves Ledru Mustapha Kamel Rahmouni

Département Informatique, Faculté des Sciences Exactes et Appliquées, Université, Oran1 Ahmed BenBella, BP 1524 EL Mnaouer Oran- Algérie

Univ. Grenoble Alpes, LIG, 38000 Grenoble, France

Univ. Grenoble Alpes, LIG, 38000 Grenoble, France, CNRS, LIG, 38000 Grenoble, France

Département Informatique, Faculté des Sciences Exactes et Appliquées, Université Oran1 Ahmed BenBella, BP 1524 EL Mnaouer Oran- Algérie

Corresponding Author Email: 
Salim.Chehida@imag.fr, Akram.Idani@imag.fr, Yves.Ledru@imag.fr, kamelrahmouni1946@gmail.com
| |
| | Citation

The evolution of organizations and their information systems towards more openness raises the challenge of their security. The definition of an access control policy is a major activity in the design of an Information System. This paper proposes an approach for the specification of security policies, based on the RBAC model, at the workflow level. This approach propagates permissions defined on a class diagram, using the SecureUML profile, towards constraints linked to the business process activities. Activity diagrams are defined at two levels: an abstract level which does not detail these permissions and a concrete level where constraints are associated to specific actions or to the whole diagram. A metamodel was been defined in order to specify the semantics of these activity diagrams and the semantics of their links with SecureUML models. This paper presents an extended version of (Chehida et al., 2015), which proposes a set of rules to ensure consistency between the concrete activity models and SecureUML models, and the implementation of these rules in a tool that reports all contradictions between both models.


RBAC, Workflow, business process, SecureUML, UML2, activity diagram, consistency

1. Introduction
2. SecureUML
3. Contrôle d’accès aux activités
4. Extension du méta-modèle des diagrammes d’activité
5. Validation des règles de cohérence
6. Travaux connexes
7. Conclusion et perspectives

Abrial J.-R. (1996). The B-book: assigning programs to meanings. Cambridge University Press.

Ahn G., Sandhu R., Kang M., Park J. (2000). Injecting RBAC to secure a web-based workflow system. In the 5th ACM Workshop on Role-Based Access Control, p. 1-10. New York, NY, USA, Morgan Kaufmann Publisher.

Alghathbar K. (2012). Representing access control policies in use cases. International Arab Journal of Information Technology, vol. 9, no 3.

Allaki D., Dahchour M., En-nouaary A. (2015). A new taxonomy of inconsistencies in UML models with their detection methods for better MDE. International Journal of Computer Science and Applications, vol. 12, no 1, p. 48 – 65.

ANSI. (2004). Role based access control. American national standard for information technology, vol. 359, no 2004, p. 1-47.

Basin D. A., Clavel M., Doser J., Egea M. (2009). Automated analysis of security-design models. Information and Software Technology, vol. 51, no 5, p. 815-831.

Basin D. A., Doser J., Lodderstedt T. (2006). Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology, vol. 15, no 1, p. 39-91.

Bertino E., Ferrari E., Atluri V. (1999). The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security, vol. 2, no 1, p. 65-104.

Botha R., Eloff J. (2001). Separation of duties for access control enforcement in workflow environments. IBM Systems Journal, vol. 40, no 3, p. 666–682.

BPMN2. (2011). Business Process Modeling Notation (BPMN) Version 2.0. Object Management Group. (http://www.omg.org/spec/BPMN/2.0/formal-11-01-03.pdf)

Brucker A. D., Hang I., Lückemeyer G., Ruparel R. (2012). SecureBPMN: Modeling and Enforcing Access Control Requirements in Business Processes. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, p. 123-126. New York, NY,


Chehida S., Idani A., Ledru Y., Rahmouni M. (2015). Extensions du diagramme d’activité pour contrôler l’accès au SI. In INFormatique des ORganisations et Systèmes d’Information et de Décision, p. 151-165. Biarritz, france.

Chiorean D., Pa¸sca M., Cârcu A., Botiza C., Moldovan S. (2004). Ensuring UML Models Consistency Using the OCL Environment. Electronic Notes in Theoretical Computer Science, vol. 102, p. 99-110.

Elaasar M., Briand L. (2004). An overview of UML consistency management. Rapport technique no SCE-04-18. Carleton. 

Feather M. S., Fickas S., Finkelstein A., Lamsweerde A. van. (1997). Requirements and Specification Exemplars. Automated Software Engineering, vol. 4, no 4, p. 419-438.

Ferraiolo D., Kuhn D., Chandramouli R. (2003). Role-Based Access Control. Artech House.

Gaaloul K. (2010). Une approche sécurisée pour la délégation dynamique de tâches dans les systèmes de gestion de workflow. Thèse de doctorat. Nancy , France.

Geambasu C. (2012). BPMN vs. UML activity diagram for business process modeling. Accounting

and Management Information Systems, vol. 11, no 4, p. 637–651.

Gogolla M., Kuhlmann M., Hamann L. (2009). Consistency, Independence and Consequences in UML and OCL Models. In Tests and Proofs, vol. 5668, p. 90-104. Springer Berlin Heidelberg.

Huzar Z., Kuzniarz L., Reggio G., Sourrouille J. L. (2005). Consistency Problems in UMLBased Software Development. In N. J. Nunes, B. Selic, A. R. d. Silva, A. T. Alvarez (Eds.), UML Modeling Languages and Applications, p. 1-12. Springer Berlin Heidelberg.

Idani A., Ledru Y. (2015). B for Modeling Secure Information Systems - the B4MSecure platform . In The 17th International Conference on Formal Engineering Methods, vol. 4907. Springer.

Jurjens J. (2004). Secure systems development with UML. Berlin, Heidelberg, Springer-Verlag.

Kandala S., Sandhu R. (2002). Secure Role-Based Workflow Models. In Database and Application Security XV, vol. 87, p. 45-58. Springer.

Kuzniarz L., Staron M. (2003). Inconsistencies in student designs. In Workshop on Consistency Problems in UML-based software development II.

Lamsweerde A. van. (2007). Engineering requirements for system reliability and security. IOS Press, vol. 9, p. 196-238.

Legeard B., Peureux F., Utting M. (2002). Automated boundary testing from Z and B. In Fme’02, formal methods europe, vol. 2391. Springer.

Ma G., Wu K., Zhang T., Li W. (2011). A flexible policy-based access control model for Workflow Management Systems. In International IEEE Conference on Computer Science and Automation Engineering (CSAE) , vol. 2, p. 533-537.

Matulevicius R., Dumas M. (2011). Towards Model Transformation between SecureUML and UMLsec for Role-based Access Control (vol. 224). IOS Press Ebooks.

Milhau J. (2011). Un processus formel d’intégration de politiques de contrôle d’accès dans les systèmes d’information. Thèse de doctorat. Paris, France. (page 2)

Montrieux L., Wermelinger M., Yu Y. (2011). Tool Support for UML-Based Specification and Verification of Role-Based Access Control Properties. In 8th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering.

Mouratidis H., Giorgini P. (2007). Secure tropos: a security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering, vol. 17, no 2, p. 285–309.

OCL2. (2012). Object Constraint Language (OCL) Version 2.3.1. Object Management Group. (http://www.omg.org/spec/OCL/2.3.1/PDF/)

Rodríguez A., Fernández-Medina E., Piattini M. (2007). A BPMN Extension for the Modeling of Security Requirements in Business Processes. IEICE - Transactions on Information and Systems, vol. E90-D, no 4, p. 745-752.

Roques P. (2006). UML 2 par la Pratique. Paris, Eyrolles.

Russell N., Aalst W. van der, Hofstede A. ter, Wohed P. (2006). On the suitability of UML 2.0 activity diagrams for business process modelling. In 3rd Asia-Pacific conference on Conceptual modelling, p. 95-104.

Sarshar K., Loos V. (2007). Modeling the Resource Perspective of Business Processes by UML Activity Diagram and Object Petri Net. In Enterprise Modeling and Computing with UML, p. 204-215.

Souag A., Salinesi C., Mazo R., Comyn-Wattiau I. (2015). A security ontology for security requirements elicitation. In Engineering secure software and systems - 7th international symposium, essos 2015, milan, italy, march 4-6, 2015, p. 157–177.

Strembeck M., Mendling J. (2011). Modeling process-related RBAC models with extended UML activity models. Information and Software Technology, vol. 53, no 5, p. 456-483. (Special Section on Best Papers from {XP2010})

Torre D., Labiche Y., Genero M. (2014). UML consistency rules: a systematic mapping study. In 18th International Conference on Evaluation and Assessment in Software Engineering, p. 1-10. New York, NY, USA, ACM.

UML2. (2011). Unified modeling language: Superstructure(version 2.4). Object Management Group (http://www.omg.org/spec/UML/2.4/Superstructure/ptc-10-11-14.pdf)

Wainer J., Barthelmess P., Kumar A. (2003). W-RBAC.a workflow security model incorporating controlled overriding of constraints. International Journal of Cooperative Information Systems, vol. 12, no 4, p. 455-486.

Wainer J., Kumar A., Barthelmess P. (2007). DW-RBAC: A formal security model of delegation and revocation in workflow systems. Information Systems, vol. 32, no 3, p. 365-384.

WFMC. (1999). Workflow management coalition Terminology and glossary. Workflow Management Coalition. (http://www.wfmc.org/standards/docs/TC-1011_term_glossary_v3.pdf)

Wolter C., Schaad A. (2007). Modeling of Task-Based Authorization Constraints in BPMN. In Business Process Management, p. 64-79. Springer Berlin Heidelberg.